On Wed, 23 Feb 2005 20:38:07 +0100, markus reichelt <ml@xxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rodrigo Baroni <rodrigobaroni@xxxxxxxxx> wrote: > > > > > this. in general, relying on packages made by others when it comes to > > > > > security stuff isn't very smart. > > > > Does you know the Debian policy about package maintainers? I don't > > think so. > > I hope you didn't bet any money on that :-) > > in my opinion using a package system for security stuff decreases > security. i think it best to build the stuff directly from official > sources (note: i did not write latest official sources) - simply for > the reason that one doesn't have to rely on additionally trusting > others to some extend, even in times of gnupg and such. it's just an > unnecessary step (to save time), and it does not increase security - > so why take it in the first place? It's not about waste time having to rely on additionally trusting others to some extend, since I never hear about a backdoor in some debian package that wasn't in the original sources (but ok, we can't ignore this possibility..). So, if time is not a problem since it is not the main care (and I agree about that), we can get the original sources and the packed's unpackaged (extracted - dpkg -x <package>.deb) sources (wow :), see if it differs and if not, keep the packaged installed - so we can have a system with the aes-loop-utils mount/losetup managed by the packaging management system and keep informed all dependents packages about it. (Jari, this can be informed to the paranoids in the aes-loop.readme too ?) > but please keep in mind there are folks who prefer to do things the perl > way ;) and i'm just one of them. if you look around there's plenty of > different ways of running unix systems out there, all for a reason. > best example with good docs would be LFS. that's not only something > for ppl with too much time on their hands, one can build a pretty > damn tight and secure system that way. Err.. no. I love reinvent the weel :), but when you have the possibility to configure and keep all packages managed by a powerful (yes, dpkg/apt is powerful) centralized package management system in a wonderful way, with a very nice BTS, and other things, sometimes that way of administrate a package is more than a 'time safe' option. Btw, thanks for you reply Best regards, -- Rodrigo Ferreira Baroni - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
